[strongSwan] Pluto Bug or Config Error? strongswan vs cisco

Germano Veit Michel germanovmichel at aim.com
Wed Feb 8 19:29:41 CET 2012 

Hello everyone, just joined the list.


I'm trying to establish a secured connection between a cisco router and a linux box running strongswan.


This is the TEST scenario:


CISCO ----------------------------------------------------------------------------------------- LINUX
192.168.11.244                                                                  192.168.11.235




----------------------------------------------------------------------------------------
Cisco configuration:



crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2  
crypto isakmp key teste123 address 192.168.11.235


crypto ipsec transform-set tset esp-3des esp-md5-hmac 


crypto ipsec profile ipsec
 set transform-set tset 


interface Tunnel0
 no ip address
 shutdown
 tunnel source 192.168.11.244
 tunnel destination 192.168.11.235
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile ipsec


----------------------------------------------------------------------------------------
Strongswan configuration:



config setup
        nat_traversal=yes
        plutodebug=all


conn host-host
        type=tunnel
        authby=secret
        left=192.168.11.235
        leftsubnet=%default
        right=192.168.11.244
        rightsubnet=%default
        auto=start
        esp=3des-md5-modp1024
        ike=3des-md5-modp1024
        keyexchange=ikev1

----------------------------------------------------------------------------------------


The result is that strongswan fails with this error and the connection is not established.



| find_client_connection starting with host-host
|   looking for 0.0.0.0/0:0/0 -> 0.0.0.0/0:0/0
|   concrete checking against sr#0 192.168.11.235/32 -> 192.168.11.244/32
|   fc_try trying host-host:0.0.0.0/0:0/0 -> 0.0.0.0/0:0/0 vs host-host:192.168.11.235/32:0/0 -> 192.168.11.244/32:0/0
|   fc_try concluding with none [0]
|   fc_try host-host gives none
|   checking hostpair 192.168.11.235/32 -> 192.168.11.244/32 is not found
|   concluding with d = none
"host-host" #3: cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===192.168.11.235[192.168.11.235]...192.168.11.244[192.168.11.244]===0.0.0.0/0
"host-host" #3: sending encrypted notification INVALID_ID_INFORMATION to 192.168.11.244:500





It seems to me that the CISCO doesn't fill those network fields on the SA request packet when it is in tunnel (VTI) mode. And it makes sense, since it's just configuring a tunnel, there are no subnets (left, right stuff).


I believe pluto is behaving improperly in this situation, but before I report a bug or try to fix it, it would be nice if someone could comment on this issue. I might have misconfigured cisco and/or strongswan.


By the way, racoon has no problem validating that 0.0.0.0/0 subnet.


Thanks,
Germano


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120208/c5a5f3c2/attachment.html>

More information about the Users mailing list